Network Service: Update browser test for setting x-frame-options headers to web store requests

This CL updates the currently disabled browser tests for setting x-frame-options headers to
web store requests.

Bug: 852877
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: I8e131848a37a8fbf5b9f4bdb53bcbb225440330d
Reviewed-on: https://chromium-review.googlesource.com/1155931Reviewed-by: Reilly Grant <reillyg@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Commit-Queue: Jun Cai <juncai@chromium.org>
Cr-Commit-Position: refs/heads/master@{#581028}

chrome/browser/extensions/api/webstore_private/webstore_private_apitest.cc

@@ -28,6 +28,7 @@
 #include "content/public/browser/gpu_data_manager.h"
 #include "content/public/browser/notification_observer.h"
 #include "content/public/browser/notification_registrar.h"
+#include "content/public/browser/render_frame_host.h"
 #include "content/public/test/browser_test_utils.h"
 #include "extensions/browser/api/management/management_api.h"
 #include "extensions/browser/extension_dialog_auto_confirm.h"
@@ -187,34 +188,39 @@ class ExtensionWebstorePrivateApiTest : public ExtensionApiTest {
 };
 
 // Test cases for webstore origin frame blocking.
-// TODO(mkwst): Disabled until new X-Frame-Options behavior rolls into
-// Chromium, see crbug.com/226018.
 IN_PROC_BROWSER_TEST_F(ExtensionWebstorePrivateApiTest,
-                       DISABLED_FrameWebstorePageBlocked) {
-  base::string16 expected_title = base::UTF8ToUTF16("PASS: about:blank");
-  base::string16 failure_title = base::UTF8ToUTF16("FAIL");
-  content::TitleWatcher watcher(GetWebContents(), expected_title);
-  watcher.AlsoWaitForTitle(failure_title);
+                       FrameWebstorePageBlocked) {
   GURL url = embedded_test_server()->GetURL(
       "/extensions/api_test/webstore_private/noframe.html");
+  content::WebContents* web_contents = GetWebContents();
   ui_test_utils::NavigateToURL(browser(), url);
-  base::string16 final_title = watcher.WaitAndGetTitle();
-  EXPECT_EQ(expected_title, final_title);
+  ASSERT_TRUE(content::ExecuteScript(web_contents, "dropFrame()"));
+  WaitForLoadStop(web_contents);
+  content::RenderFrameHost* subframe =
+      content::ChildFrameAt(web_contents->GetMainFrame(), 0);
+  ASSERT_TRUE(subframe);
+  // The subframe load should fail due to XFO. Currently that results in
+  // loading a blank page with the URL "data:,", but this check will need to
+  // change when XFO failures result in an error page - see
+  // https://crbug.com/870815.
+  EXPECT_EQ(GURL("data:,"), subframe->GetLastCommittedURL());
 }
 
-// TODO(mkwst): Disabled until new X-Frame-Options behavior rolls into
-// Chromium, see crbug.com/226018.
-IN_PROC_BROWSER_TEST_F(ExtensionWebstorePrivateApiTest,
-                       DISABLED_FrameErrorPageBlocked) {
-  base::string16 expected_title = base::UTF8ToUTF16("PASS: about:blank");
-  base::string16 failure_title = base::UTF8ToUTF16("FAIL");
-  content::TitleWatcher watcher(GetWebContents(), expected_title);
-  watcher.AlsoWaitForTitle(failure_title);
+IN_PROC_BROWSER_TEST_F(ExtensionWebstorePrivateApiTest, FrameErrorPageBlocked) {
   GURL url = embedded_test_server()->GetURL(
       "/extensions/api_test/webstore_private/noframe2.html");
+  content::WebContents* web_contents = GetWebContents();
   ui_test_utils::NavigateToURL(browser(), url);
-  base::string16 final_title = watcher.WaitAndGetTitle();
-  EXPECT_EQ(expected_title, final_title);
+  ASSERT_TRUE(content::ExecuteScript(web_contents, "dropFrame()"));
+  WaitForLoadStop(web_contents);
+  content::RenderFrameHost* subframe =
+      content::ChildFrameAt(web_contents->GetMainFrame(), 0);
+  ASSERT_TRUE(subframe);
+  // The subframe load should fail due to XFO. Currently that results in
+  // loading a blank page with the URL "data:,", but this check will need to
+  // change when XFO failures result in an error page - see
+  // https://crbug.com/870815.
+  EXPECT_EQ(GURL("data:,"), subframe->GetLastCommittedURL());
 }
 
 // Test cases where the user accepts the install confirmation dialog.

chrome/test/data/extensions/api_test/webstore_private/noframe.html

 <!DOCTYPE html>
-<body onload="dropFrame()">
+<body>
 This represents not an extension, but an HTML page within the test harness
 webstore origin (www.example.com), for which the response headers have been
 misconfigured to allow framing by the 127.0.0.1 origin.
+</body>
 <script>
-var interval_id = -1;
-var check_count = 0;
 function dropFrame() {
   var s = location.href.toString();
   if (s.indexOf('127.0.0.1') > 0) {
     // try to frame a copy of ourselves from the webstore origin.
     var f = document.createElement('iframe');
     f.src = s.replace('127.0.0.1', 'www.example.com');
-    f.onload = checkFrame;
-    f.onerror = checkFrame;
     document.body.appendChild(f);
-    // There's an open issue in WK where neither onload or onerror fires
-    // when interrupted by XFO, so use a setInterval() workaround.  Remove
-    // this workaround when resolved, but in the mean time, mark the test
-    // FLAKY, because there is no reason to believe the server will respond
-    // within the time frame.
-    interval_id = setInterval("checkFrame()", 500);
-  }
-}
-
-function checkFrame() {
-  try {
-    // If the frame was blocked, we instead have an about:blank frame which we
-    // can access.
-    x = window.frames[0].document.location.href;
-    document.title = 'PASS: ' + x;
-    clearInterval(interval_id);
-  }
-  catch (e) {
-    // Frame was not yet blocked, so we have no access.
-    if (++check_count > 40) {
-      document.title = 'FAIL';
-      clearInterval(interval_id);
-    }
   }
 }
 </script>

chrome/test/data/extensions/api_test/webstore_private/noframe2.html

 <!DOCTYPE html>
-<body onload="dropFrame()">
+<body>
 This represents not an extension, but an HTML page within an untrusted
 origin (127.0.0.1).
+</body>
 <script>
-var interval_id = -1;
-var check_count = 0;
 function dropFrame() {
   var s = location.href.toString();
   if (s.indexOf('127.0.0.1') > 0) {
@@ -15,30 +14,7 @@ function dropFrame() {
     s = s.replace('127.0.0.1', 'www.example.com');
     s = s.replace('/extensions/', '/nonesuch/extensions/');
     f.src = s;
-    f.onload = checkFrame;
-    f.onerror = checkFrame;
     document.body.appendChild(f);
-    // Due to https://bugs.webkit.org/show_bug.cgi?id=90660 neither onload
-    // or onerror fires when interrupted by XFO, so use a setInterval()
-    // workaround. Remove this workaround when resolved.
-    interval_id = setInterval("checkFrame()", 500);
-  }
-}
-
-function checkFrame() {
-  try {
-    // If the frame was blocked, we instead have an about:blank frame which we
-    // can access.
-    x = window.frames[0].document.location.href;
-    document.title = 'PASS: ' + x;
-    clearInterval(interval_id);
-  }
-  catch (e) {
-    // Frame was not yet blocked, so we have no access.
-    if (++check_count > 40) {
-      document.title = 'FAIL';
-      clearInterval(interval_id);
-    }
   }
 }
 </script>

testing/buildbot/filters/mojo.fyi.network_browser_tests.filter

@@ -263,6 +263,11 @@
 # about an origin.
 -ReportingBrowserTest.TestReportingHeadersProcessed
 
+# Add magic x-frame-options headers to web store requests
+# https://crbug.com/852877
+-ExtensionWebstorePrivateApiTest.FrameErrorPageBlocked
+-ExtensionWebstorePrivateApiTest.FrameWebstorePageBlocked
+
 # NOTE: if adding an exclusion for an existing failure (e.g. additional test for
 # feature X that is already not working), please add it beside the existing
 # failures. Otherwise please reach out to network-service-dev@.